I used %timegenerated:::date-rfc3339%, Its work better. It generates following timestamp.
2016-01-28T13:57:46.672232+05:00 Thanks On Wed, Jan 27, 2016 at 9:54 PM, Rainer Gerhards <[email protected]> wrote: > 2016-01-27 17:52 GMT+01:00 Joe Blow <[email protected]>: > > > Sometimes i get really hacky and do things like this, if i only want > > portions of whatever date (like for folders, etc...): > > > > year = %timegenerated:1:4:date-rfc3339% > > 2digit month = %timegenerated:6:7:date-rfc3339% > > 2digit day = %timegenerated:9:10:date-rfc3339% > > > > I know it's probably not the rsyslog approved way of doing things, but it > > works. > > > > > It's perfectly well from my PoV. I just think the OP wanted to have the > year inside the timestamp, and the rfc3339 format does this without further > tricks. > > Rainer > > > Cheers, > > > > JB > > > > On Wed, Jan 27, 2016 at 11:44 AM, Rainer Gerhards < > > [email protected]> > > wrote: > > > > > 2016-01-27 14:49 GMT+01:00 Muhammad Asif <[email protected]>: > > > > > > > I am using it in this way but no to avail. > > > > > > > > $template linuxbox,"<%pri%> %timegenerated:::date-rfc3164% > 172.20.16.25 > > > > %syslogtag%%msg%" > > > > $template linuxbox,"<%pri%> %timegenerated:::date-rfc5424% > 172.20.16.25 > > > > %syslogtag%%msg%" > > > > $template linuxbox,"<%pri%> %timegenerated:::date-rfc3339% > 172.20.16.25 > > > > %syslogtag%%msg%" > > > > > > > > > > > what was the output of that template? It should be a RFC3339 timestamp > > with > > > the full year. > > > > > > Rainer > > > > > > > *.* /var/log/temo.log;linuxbox > > > > > > > > Thanks > > > > > > > > On Wed, Jan 27, 2016 at 4:03 PM, Rainer Gerhards < > > > [email protected] > > > > > > > > > wrote: > > > > > > > > > 2016-01-27 11:58 GMT+01:00 David Lang <[email protected]>: > > > > > > > > > > > On Wed, 27 Jan 2016, Muhammad Asif wrote: > > > > > > > > > > > > Hi Geeks, > > > > > >> > > > > > >> My snort is not attaching year in logs. I want to forward these > > logs > > > > to > > > > > >> nex > > > > > >> server but i want to add year in timestamp. I tried many > templates > > > but > > > > > no > > > > > >> to avail, result is same like "Jan 27 15:32:17". How can i add > > year > > > in > > > > > >> timestamp. > > > > > >> > > > > > >> %timegenerated:::date-unixtimestamp% > > > > > >> %timegenerated:::date-rfc3339% > > > > > >> %timegenerated:::date-strftime(%Y-%m-%d %H:%M:%S)% > > > > > >> > > > > > > > > > > > > you can't put a year in the timestamp when using a rfc3164 > message > > > > > format, > > > > > > you can only do it when using the rfc5424 format > > > (RSYSLOG_ForwardFormat > > > > > as > > > > > > opposed to RSYSLOG_TraditionalForwardFormat) > > > > > > > > > > > > > > > > > I thought the question is just related to the output end. But note > > that > > > > > recent rsyslog can accept a year in RFC3164, because that happens > > > > commonly > > > > > enough. In order to prevent false positives, you need to enable it, > > > > though > > > > > (see pmrfc3164 doc, param is "detect.yearaftertimestamp". > > > > > > > > > > HTH > > > > > Rainer > > > > > > > > > > now, you can put anything you want in the message body, and I > format > > > the > > > > > > message body as JSON so that I can do so and still extract the > > > original > > > > > > message. > > > > > > > > > > > > David Lang > > > > > > > > > > > > _______________________________________________ > > > > > > rsyslog mailing list > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > http://www.rsyslog.com/professional-services/ > > > > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > > > myriad > > > > > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > if > > > you > > > > > > DON'T LIKE THAT. > > > > > > > > > > > _______________________________________________ > > > > > rsyslog mailing list > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > http://www.rsyslog.com/professional-services/ > > > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > > myriad > > > > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > > you > > > > > DON'T LIKE THAT. > > > > > > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > http://www.rsyslog.com/professional-services/ > > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > myriad > > > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > you > > > > DON'T LIKE THAT. > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad > > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > > DON'T LIKE THAT. > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
